Initial access has become a management problem as much as a technical problem. The same intrusion path can begin with a known exploited vulnerability on an edge system, continue through stolen credentials or OAuth abuse, and expand through a supplier connection that no single team fully owns.
Why the old split is failing
Many organizations still separate vulnerability management, IAM, procurement, endpoint response, and third-party governance into different reporting lines. Attackers combine those surfaces. A single exposed appliance, a stale VPN account, an over-permissioned service account, or a supplier remote-access path can become the same intrusion story.
CISA's Known Exploited Vulnerabilities catalog is useful because it shifts the question from theoretical severity to observed exploitation. But exploited vulnerability data only becomes valuable when it is joined to asset ownership, identity reachability, compensating controls, and the business services that depend on the exposed system.
The operating picture leaders need
A decision-ready initial-access view should answer five questions: what is exposed to the internet, what is known to be exploited, which identities can reach those assets, which suppliers can authenticate into the environment, and which business services would be affected if the path were abused.
This is not a dashboard-only problem. The operating picture must also include accountable owners, exception dates, compensating controls, and a clear escalation path when a high-risk exposure is not remediated on time.
Recommended control posture
Cyberpert recommends joining external attack surface management, KEV-driven remediation, privileged access review, supplier access governance, and token inventory into one weekly exposure room. The agenda should be short: exploited vulnerabilities, exposed assets, privileged paths, supplier access, remediation blockers, and executive decisions required.
The best metric is not the raw count of open vulnerabilities. Better metrics include time-to-remove internet exposure, percentage of KEV items with business owners, supplier accounts without expiry, privileged accounts without recent review, and number of crown-jewel paths with no tested containment action.
Signals to watch
Signals that deserve immediate review include edge devices with emergency advisories, unmanaged remote access, service accounts with no owner, inactive supplier users, new OAuth applications with broad permissions, credential stuffing against externally exposed portals, and login attempts from impossible or high-risk locations.
The goal is to reduce the number of paths where one weak control becomes full operational compromise. A mature program does not wait for an incident to learn how vulnerability, identity, and supplier risk connect.
NATO and allied-state relevance
NATO's public cyber-defence doctrine treats cyberspace as an operational domain and repeatedly ties cyber resilience to the Alliance's ability to deter, defend, and continue political and military functions under pressure. That makes initial access more than an enterprise hygiene issue: exposed edge systems, unmanaged supplier connectivity, and weak identity controls can become a defence-readiness problem when they sit inside ministries, contractors, logistics providers, telecom carriers, or cloud services that support public missions.
For organizations serving NATO member states or their critical suppliers, the practical lesson is to treat exploited vulnerabilities, identity abuse, and third-party access as one converged intake queue. A firewall appliance with a KEV-listed vulnerability, an inactive supplier VPN account, and an OAuth application with broad permissions should be discussed together because adversaries combine them together.
EU and US research signals to merge
ENISA and CERT-EU threat landscape work consistently emphasizes ransomware, supply-chain compromise, vulnerability exploitation, and identity abuse as recurring patterns across European institutions and critical sectors. CISA's KEV catalog gives defenders a prioritization signal based on observed exploitation, while Secure by Design guidance pushes vendors and buyers to reduce classes of defects before they enter production.
Cyberpert's recommended merge is operational: combine KEV status, internet exposure, asset criticality, privilege reachability, supplier access, and business dependency in one weekly decision room. CVSS remains useful, but it should not be the only ranker. A lower-scored vulnerability on an externally reachable identity gateway may be more urgent than a higher-scored issue buried behind segmentation with no route to crown-jewel services.
Defender operating model
A mature operating model assigns every externally reachable system to a business owner, links it to identity paths, maps supplier access, and records compensating controls when remediation cannot happen immediately. It also includes emergency identity actions: revoke refresh tokens, disable supplier access, rotate secrets, restrict conditional access, and isolate administrative pathways.
The weekly agenda should stay concrete: newly exploited vulnerabilities, exposed services with no owner, privileged paths to mission services, supplier accounts without expiry, new OAuth grants, and exceptions that require executive risk acceptance. The desired executive artifact is not a long vulnerability list, but a short set of attack paths with named owners and deadlines.
